6

The situation

I am generating a KMS Key in CloudFormation. According to the KMS policy documentation, it is crucial to create a policy where the Principal is the account itself, in order for IAM policies to be able to grant access to the key.

The question

How can I create the ARN for the account root in CloudFormation?

Dan
  • 802
  • 6
  • 22

2 Answers2

10

For those who use YAML for their CloudFormation templates:

!Sub arn:aws:iam::${AWS::AccountId}:root
Laurent Jalbert Simard
  • 5,949
  • 1
  • 28
  • 36
5

The answer

{  
   "Fn::Join":[  
      ":",
      [  
         "arn:aws:iam:",
         {  
            "Ref":"AWS::AccountId"
         },
         "root"
      ]
   ]
}

Why does this work?

First, let's examine the line, "Ref":"AWS::AccountId". This is a pseudo parameter reference, which is a fancy way of saying that it is a parameter that comes out of the box with CloudFormation. There are many such parameters. This one happens to give us the account ID, which is crucial for constructing the ARN.

Now, the rest is just the creation of an ARN using this account ID. Fn::Join is simply a CloudFormation built-in that allows concatenation of strings. This is crucial when combining references with string constants (or other references) as we are doing here.

The result is something like...

arn:aws:iam::123456789012:root
Dan
  • 802
  • 6
  • 22
  • You can find the `AccountId` here https://console.aws.amazon.com/iam/home?#/security_credentials (you must be signed in) – sdgfsdh Nov 07 '19 at 16:30
  • 1
    This does not consider the variations for different region types, like `arn:aws-cn:iam`, `arn:aws-iso:iam`, and `arn:aws-iso-b:iam`. – Ben Whaley Mar 05 '20 at 17:43